Root backdoor found in surveillance gear used by law enforcement

Vulnerability one of nine critical weaknesses from lawful intercept provider.

Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.

"Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication," the researchers from security consultancy SEC Consult wrote. "Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup."

The researchers verified that the vulnerabilities exist in version 6.3.5. They went on to say that partial fixes for some of the flaws have been released. Still, they advised customers not use the product "until a thorough security review has been performed by security professionals and all identified issues have been resolved."

The most serious of the weaknesses is a root backdoor account that contains poorly secured login credentials that can't easily be changed.

"The MySQL database table 'user' contains a 'root' user with USRKEY/ user id 1 with administrative access rights," the SEC Consult researchers wrote. "This user account does NOT show up within the 'user administration' menu when logged in as administrator user account in the web interface. Hence the password can't be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code."

Additional vulnerabilities include:

unauthenticated access to sensitive files and voice recordings

low-privileged user access to other users' sensitive data

unauthenticated access which allows attackers to delete or modify data

The flaws may also affect former products, including Cybertech eXpress and Cybertech Myracle. The researchers said they first informed Nice representatives of the vulnerabilities in December. Two weeks ago, SEC told Nice that the advisory was scheduled for Wednesday. In addition to catering to law enforcement agencies around the world, Nice also serves other mission-critical customers, including forensic investigators, banks, utilities, and healthcare providers.

In an e-mailed sent to Ars after this article was published, Nice issued the following statement:

External consulting firms often conduct such tests on our behalf, or on behalf of our customers, and we welcome these activities. If an issue is brought to our attention, we actively address it, as we have done in this instance. In accordance with our regular communications, we are in touch with our customers and partners about all product updates.

We have been addressing the issues based on priority, and can confirm that we have already resolved almost all of them, and expect the remaining fixes to be completed shortly. We do not believe any of our customers have been impacted by the items raised in this report, as these systems are deployed in a very secure environment and are not accessible outside of the organization.

If whitehats can so thoroughly hack the Nice Recording eXpress, there's little reason to think less scrupulous people can't do the same. And given the wealth of highly sensitive information at the fingertips of Nice customers, it wouldn't be surprising for there to be large numbers of attackers with both the motivation and the background to capitalize on these weaknesses.